ISPs begin fighting IP lookup requests in wake of data leak

In the wake of the massive ACS Law e-mail leak, ISPs in the UK are now …

UK Internet providers have now banded together to challenge anti-P2P law firms who try to turn thousands of IP addresses into customer names—and a London court will hear their objections to the entire process.

The ISPs were burned last month when a massive e-mail leak from the top anti-P2P firm in the UK, ACS Law, exposed their own spreadsheets of customer names matched to the pornographic films they allegedly downloaded. The revelation of this embarrassing (and unproven) behavior was compounded by the fact that several of the ISPs were taking no security precautions, instead e-mailing their Excel spreadsheets unencrypted and without passwords.

PlusNet's Chief Operation Officer Richard Fletcher apologized last week to customers. "We are investigating how we came to be sending unencrypted data as we have robust systems for managing data," he said. But the blame, in his view, lies largely elsewhere: "We are extremely angry with ACS Law for allowing this to happen."

PlusNet, along with other ISPs like BSkyB, showed up in a London court yesterday to challenge the newest "Norwich Pharmacal Order" (NRO). NROs allow companies like ACS Law and rival firm Gallant Macmillan to take their lists of allegedly infringing IP addresses to ISPs and ask for a lookup; the orders function much like subpoenas in similar US cases.

A portion of BT's infringer list, revealed by the ACS Law leak

ISPs generally go along with NROs, but not anymore. Several of them have now asked Special Master Winegarten, the UK legal official who grants many of these NROs, to hold a detailed hearing on how the data is collected and how it is protected. Winegarten agreed yesterday, giving the ISPs three months to prepare their case for a January 2011 hearing on the matter. Until then, it appears that no new NROs related to file-sharing will be forthcoming.

PlusNet's Fletcher was at the hearing. In a post to PlusNet users, Fletcher said he was "pleased that the court has agreed to an adjournment so that our concerns can be examined by the court; this will then act as a precedent/test case for the future."

He's not opposed to rightsholders protecting their copyrights, but he does want "to ensure broadband subscribers are adequately protected so that rights holders can pursue their claims for copyright infringement without causing unnecessary worry to innocent people."

The means the January hearing may take a deep dive into the way that IP addresses are collected by P2P detection firm; the UK in particular has been flooded with complaints from people who say they are totally innocent.

Whether or not it leads to better data collection practices, ISP resistance to turning over subscriber names is sure to increase—and that could eat into the profits of the law firms engaged in what is largely a numbers game. This is bad news for Andrew Crossley and his employees at ACS Law—as his own cash flow projections show, he needs to keep pumping out the settlement letters to keep the revenue flowing in. Not being able to turn IP addresses into cash-generating leads for at least three more months can't be good for business.

Funny how "well, how about we just sue 'em all" business model keeps coming up. I guess a lot of these management people must be new to this whole "googling" thing or just don't get how this series of tubes allow people to interact. Who would have guessed it's man power intensive and requires precautions/data protection?

Evidently Party Girls is a very popular video. Evidently nobody explained to the British Law folks that you should only threaten to release the information. Once the cat is out of the bag, so to speak, you have no leverage on getting people to pay.

"You better pay or we'll release the movies you've been downloading.""You already did you Wanker.""Oh yea, well, you better pay or we'll release them again!"

Might also want to point out that Plusnet is a BT subsidiary. BT itself had already complied with ACS at the time they also decided to fight ACS with Plusnet.

How much of their decision to fight them has to do with the fact that BT are now under investigation for "taking no security precautions, instead e-mailing their Excel spreadsheets unencrypted and without passwords" when responding to ACS as BT, remains to be seen.

This data was obtained through criminal (DDOS attack) means. Does it have any validity in court?

I doubt that they will be using the actual lists as evidence, rather I would expect them to point to the fact that their (ACS) inept handling of sensitive data caused a breach. The fact that they were hacked is the evidence, not the data itself.

This data was obtained through criminal (DDOS attack) means. Does it have any validity in court?

Untrue. The site going down was due to a Denial of service attack which is, I believe, illegal. BUT, it was when the site was reestablished that the webmaster, by error or incompetence, put the whole server open to the Internet instead of just the web page. It was putting the confidential information up for anyone to access that has ACS law in the hot seat for possibly six figure damages.

Regardless of your view on copyright issues .. the irony here is delicious.

A previous article regarding ACS Law mentioned their (his) source for the lists of ISP addresses; that company seamed a bit shady (different legal entities, work done by same persons/techniques..) how do they collect these lists? Any legal formalities to be observed?

Surprises me there is no talk of a class action against the law firm for breach of privacy. The EU generally has very strict privacy laws fir personal data like this that I think would still cover a situation like this.

I feel sorry for the people that have been named downloading this illegal stuff. Yes they did break the law and should therefore be subject to the punishments available to the court, but they didnt deserve this public humiliation. There is such a thin line here between privacy and open information about criminal activity. Thanks to Ars for keeping us all up to date about the whole case, its very engaging.

It will be interesting to see the admissibility of the spreadsheets. Can they really be assumed to have been obtained illegally if the dumb webmaster left the server open?

It's pretty ridiculous that the file shows your full address too. Any given first and last name wouldn't really mean much, but with the full address shown there's almost no room for ambiguity. The more prudish neighbors/parents are going to freak.

I feel sorry for the people that have been named downloading this illegal stuff. Yes they did break the law and should therefore be subject to the punishments available to the court, but they didnt deserve this public humiliation.

I feel sorry for the people that have been named downloading this illegal stuff. Yes they did break the law and should therefore be subject to the punishments available to the court, but they didnt deserve this public humiliation.

really? what evidence do you have besides a spreadsheet with their name next to a porno? how rigorous was the method by which you came by this evidence? is the evidence reliable and/or repeatable? can it be reasonably shown that it is accurate?

This data was obtained through criminal (DDOS attack) means. Does it have any validity in court?

So, by denying service to the site, the data was made available via the denied service?

Perhaps not, but had the DDoS not occured, the server would not have come down and the inept Server Admin would not have had the chance to expose the entire directory. And why would someone who was geniunely going to the site just randomly start taking stuff from it? Just because the door is open makes it right? It seems more likely, and this is just my opinion, that it was someone who was participating in the DDoS, saw an opportunity and took it.

And even if the people in this list have never heard of some of what they're alleged to have D/L, the fact that people in the area that they may have daily dealings with might believe they did and won't admit it could be very damaging to them. If the person(s) who stole* wanted to be honest and resonpsible they would ahve turned it in to the companies and authorities as evidence that ACS was lax in their privacy security. Of course then they might have gotten in trouble for how they got the information in the first place.

*yes stole, it wasn't theirs, they wouldn't have normally had access to it but "happened to stumble by" while the door was open. Just because the door is unlocked and open doesn't mean come on in and take what ever you like.

This data was obtained through criminal (DDOS attack) means. Does it have any validity in court?

They probably won't use the information in the leaked document itself but rather go with "Those 'orrible lawyers let private information leak guv'ner" angle and use the document as one of the leaked information.

This data was obtained through criminal (DDOS attack) means. Does it have any validity in court?

So, by denying service to the site, the data was made available via the denied service?

Perhaps not, but had the DDoS not occured, the server would not have come down and the inept Server Admin would not have had the chance to expose the entire directory.

And if God didn't create the Earth this never would have happened!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I feel sorry for the people that have been named downloading this illegal stuff. Yes they did break the law and should therefore be subject to the punishments available to the court, but they didnt deserve this public humiliation.

really? what evidence do you have besides a spreadsheet with their name next to a porno? how rigorous was the method by which you came by this evidence? is the evidence reliable and/or repeatable? can it be reasonably shown that it is accurate?

--RC

You are right; I do not know whether or not they are the ones that actually broke the law. If it can be proven then I am correct. Can it be proven? I have no idea

I've read a couple of these articles on Ars now, and you've never defined BT. Typically that would be BitTorrent in this context, but I'm assuming it's an ISP? It would be nice if you defined the overloaded acronym, thanks.

Surprises me there is no talk of a class action against the law firm for breach of privacy. The EU generally has very strict privacy laws fir personal data like this that I think would still cover a situation like this.

There are two separate court actions against ACS:Law and BT (British Telecomm). ACS:Law may have another one on them, each carrying a max fine of 500,000 pounds ($800k).Data loss is taken quite seriously thankfully. Of course that's not a deterrent, they are frequent regardless of massive fines.

I'm no law expert, but surely whether the data was acquired illegally or not is irrelevant: the whole point about encryption and data protection is prevent exactly this scenario, where somebody maliciously steals (clones, copies, whatever) the data or inadvertedly leaks it. It's exactly this scenario that it's supposed to stop, and it's exactly this scenario that between them the two companies have failed to prevent. I can see why illegally obtained evidence would be inadmissable in court, but I suppose it just seems paradoxical to me if the best proof of exactly what they're trying to prevent (i.e. succesful malicious acquisition of the data) would be inadmissable! You can't prove our data is unprotected! - Yes I can, I copied these last night. - Yeah, well those are inadmissable, because you copied them illegally, we didn't permission! - .....dang. Still, maybe you wouldn't need to submit it as evidence in court becase BT have already admitted that it's the real deal and that they were sending things unencrypted.

Of course the best solution is the one implemented by Andrews and Arnold where they classify each subscriber not as an end-user, but as a communications provider (ie. like a "reseller") which means the lawyers will have to submit applications to each of A&A's customers for themselves to disclose who was using the IP - in effect killing the mass mailing approach of firms like ACS:Law.

Unfortunately, I think the fact that the files weren't encrypted and passworded wasn't that important because tech illiterate people like them would have placed the info needed to open the files in some very obvious place where they can easily find it--like an unprotected word file setting right next to the protected excel files!

Perhaps not, but had the DDoS not occured, the server would not have come down and the inept Server Admin would not have had the chance to expose the entire directory. And why would someone who was geniunely going to the site just randomly start taking stuff from it? Just because the door is open makes it right? It seems more likely, and this is just my opinion, that it was someone who was participating in the DDoS, saw an opportunity and took it.

And even if the people in this list have never heard of some of what they're alleged to have D/L, the fact that people in the area that they may have daily dealings with might believe they did and won't admit it could be very damaging to them. If the person(s) who stole* wanted to be honest and resonpsible they would ahve turned it in to the companies and authorities as evidence that ACS was lax in their privacy security. Of course then they might have gotten in trouble for how they got the information in the first place.

*yes stole, it wasn't theirs, they wouldn't have normally had access to it but "happened to stumble by" while the door was open. Just because the door is unlocked and open doesn't mean come on in and take what ever you like.